brooktrails/directory-pacifier
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(ci): Add Forgejo Actions CI and schema integration tests #2

Merged
rcsheets merged 3 commits from feat/ci-and-schema-tests into main 2026-04-12 19:35:46 +00:00
Conversation 4 Commits 3 Files changed 4 +889 -1
rcsheets commented 2026-04-12 19:15:17 +00:00
Owner
Copy link

CI runs Go unit tests and a separate schema integration job that
spins up a throwaway Postgres 17 service, applies the three schema
migrations, and exercises the data model end-to-end.

Integration tests in internal/dbtest cover the full operation lifecycle
(plan → decision → operation → execution), the single-use execution
constraint, role enforcement across all four roles, the effective_trust
view's supersession chain, and the proportional_approval check constraints.

Includes RunnerPool manifest to provision a dedicated runner for the
repository via the existing custom runner management controller.

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

CI runs Go unit tests and a separate schema integration job that spins up a throwaway Postgres 17 service, applies the three schema migrations, and exercises the data model end-to-end. Integration tests in internal/dbtest cover the full operation lifecycle (plan → decision → operation → execution), the single-use execution constraint, role enforcement across all four roles, the effective_trust view's supersession chain, and the proportional_approval check constraints. Includes RunnerPool manifest to provision a dedicated runner for the repository via the existing custom runner management controller. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add Forgejo Actions CI and schema integration tests
Some checks are pending
test / go-test (pull_request) Waiting to run
Details
test / schema-test (pull_request) Waiting to run
Details
57eb45bbd8 
CI runs Go unit tests and a separate schema integration job that
spins up a throwaway Postgres 17 service, applies the three schema
migrations, and exercises the data model end-to-end.

Integration tests in internal/dbtest cover the full operation lifecycle
(plan → decision → operation → execution), the single-use execution
constraint, role enforcement across all four roles, the effective_trust
view's supersession chain, and the proportional_approval check constraints.

Includes RunnerPool manifest to provision a dedicated runner for the
repository via the existing custom runner management controller.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-04-12 19:15:20 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.15.0 | Safety Check | anthropic | tracking id r-dbef47-cdecf6
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — No security issues or obvious bugs found - this is a standard CI setup with integration tests.
Complexity: moderate

Safety Check Review

Summary

This PR adds CI/CD configuration and comprehensive integration tests for a database schema. No security vulnerabilities or obvious bugs detected.

Key Changes Reviewed

  • CI Configuration: Standard Forgejo Actions workflow with Go testing and Postgres service
  • Integration Tests: Comprehensive database tests covering the full operation lifecycle
  • Dependencies: Added pgx PostgreSQL driver (v5.9.1) - legitimate and current
  • Runner Configuration: Kubernetes-based CI runner manifest

Automated Alerts Addressed

  • "Possible secret detected": The POSTGRES_PASSWORD: test is a hardcoded test password for the ephemeral CI database service - this is standard practice and not a security concern
  • "High entropy in go.sum": This is normal for Go dependency checksums, which are cryptographic hashes by design

Security Assessment

  • No exposed production credentials
  • Test database uses ephemeral throwaway instance with non-sensitive password
  • No injection vulnerabilities in SQL - uses parameterized queries throughout
  • CI runs in isolated containers with appropriate resource limits

The changes appear well-structured and follow Go/CI best practices.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.15.0 | Safety Check | anthropic | tracking id `r-dbef47-cdecf6`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — No security issues or obvious bugs found - this is a standard CI setup with integration tests. **Complexity:** moderate # Safety Check Review ## Summary This PR adds CI/CD configuration and comprehensive integration tests for a database schema. No security vulnerabilities or obvious bugs detected. ## Key Changes Reviewed - **CI Configuration**: Standard Forgejo Actions workflow with Go testing and Postgres service - **Integration Tests**: Comprehensive database tests covering the full operation lifecycle - **Dependencies**: Added pgx PostgreSQL driver (v5.9.1) - legitimate and current - **Runner Configuration**: Kubernetes-based CI runner manifest ## Automated Alerts Addressed - **"Possible secret detected"**: The `POSTGRES_PASSWORD: test` is a hardcoded test password for the ephemeral CI database service - this is standard practice and not a security concern - **"High entropy in go.sum"**: This is normal for Go dependency checksums, which are cryptographic hashes by design ## Security Assessment - No exposed production credentials - Test database uses ephemeral throwaway instance with non-sensitive password - No injection vulnerabilities in SQL - uses parameterized queries throughout - CI runs in isolated containers with appropriate resource limits The changes appear well-structured and follow Go/CI best practices.
rcsheets changed title from Add Forgejo Actions CI and schema integration tests to feat(ci): Add Forgejo Actions CI and schema integration tests 2026-04-12 19:15:28 +00:00
rcsheets force-pushed feat/ci-and-schema-tests from 57eb45bbd8
Some checks are pending
test / go-test (pull_request) Waiting to run
Details
test / schema-test (pull_request) Waiting to run
Details
to a0e81cb42b
Some checks failed
test / go-test (pull_request) Failing after 57s
Details
test / schema-test (pull_request) Failing after 27s
Details
2026-04-12 19:18:19 +00:00 Compare
pr-reviewer-bot commented 2026-04-12 19:18:21 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.15.0 | Safety Check | anthropic | tracking id r-dbeffc-4ecc94
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — The CI workflow and integration tests look reasonable with no obvious security issues or bugs.
Complexity: moderate

Safety Check Review

Overview

This PR adds CI workflow and database integration tests. The automated flags about credentials and high entropy content are expected for this type of change.

Key Observations

CI Configuration (.forgejo/workflows/test.yaml)

  • Uses reasonable test database credentials (POSTGRES_PASSWORD: test) - appropriate for CI
  • Go version 1.26 looks legitimate (newer version post-training cutoff)
  • Workflow structure is standard and secure

Dependencies (go.mod/go.sum)

  • Added PostgreSQL driver jackc/pgx/v5 - standard choice
  • High entropy in go.sum is expected (checksums for dependency verification)
  • No suspicious or unexpected dependencies

Integration Tests (internal/dbtest/dbtest_test.go)

  • Comprehensive database schema testing
  • Proper connection handling with environment variables
  • Good test isolation with cleanup functions
  • Tests critical security features like role enforcement and single-use execution constraints

No Security Issues Found

  • No hardcoded production credentials
  • No exposed secrets (test credentials are appropriate)
  • No obvious injection vulnerabilities in SQL
  • Proper parameterized queries throughout

The automated observations are false positives expected for this type of change.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.15.0 | Safety Check | anthropic | tracking id `r-dbeffc-4ecc94`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — The CI workflow and integration tests look reasonable with no obvious security issues or bugs. **Complexity:** moderate # Safety Check Review ## Overview This PR adds CI workflow and database integration tests. The automated flags about credentials and high entropy content are expected for this type of change. ## Key Observations **CI Configuration (.forgejo/workflows/test.yaml)** - Uses reasonable test database credentials (`POSTGRES_PASSWORD: test`) - appropriate for CI - Go version 1.26 looks legitimate (newer version post-training cutoff) - Workflow structure is standard and secure **Dependencies (go.mod/go.sum)** - Added PostgreSQL driver `jackc/pgx/v5` - standard choice - High entropy in go.sum is expected (checksums for dependency verification) - No suspicious or unexpected dependencies **Integration Tests (internal/dbtest/dbtest_test.go)** - Comprehensive database schema testing - Proper connection handling with environment variables - Good test isolation with cleanup functions - Tests critical security features like role enforcement and single-use execution constraints **No Security Issues Found** - No hardcoded production credentials - No exposed secrets (test credentials are appropriate) - No obvious injection vulnerabilities in SQL - Proper parameterized queries throughout The automated observations are false positives expected for this type of change.
Use manual git clone in CI to avoid Node dependency
All checks were successful
test / go-test (pull_request) Successful in 1m25s
Details
test / schema-test (pull_request) Successful in 27s
Details
280cfa3db9 
The golang image doesn't include Node, which actions/checkout@v4 needs.
Switch to the manual clone pattern used by front-door. Also pull base
images through the Harbor proxy for consistency.

Runner label set updated to [dind, trusted, directory-pacifier] to match
the RunnerPool definition.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-04-12 19:23:36 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.15.0 | Safety Check | anthropic | tracking id r-dbf138-ad3912
This is an AI-generated review and may contain mistakes.

Status: Completed

Verdict: LGTM — No obvious bugs, security issues, or breaking changes detected - just adding CI and integration tests for a database schema.
Complexity: moderate

Safety Check Review

Summary

Adding Forgejo Actions CI workflow and comprehensive database integration tests. No alarming issues found.

Key Changes

  • New CI workflow with Go unit tests and schema integration tests
  • Database integration tests covering full operation lifecycle and constraints
  • Added PostgreSQL driver dependency (github.com/jackc/pgx/v5)

Automated Observations Addressed

  • "Possible secret detected": The FORGEJO_TOKEN is properly used as a GitHub Actions secret reference (${{ secrets.FORGEJO_TOKEN }}), not a hardcoded value
  • "High entropy in go.sum": This is normal - Go module checksums are cryptographic hashes and naturally have high entropy

Notes

  • Go version 1.26 in the workflow is plausible (assuming this is from after my training cutoff)
  • Integration tests properly use environment variables for database connection
  • CI uses proper secret management and follows reasonable security practices
  • Test cleanup functions prevent interference between test runs

Everything looks standard for a CI setup with database integration testing.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.15.0 | Safety Check | anthropic | tracking id `r-dbf138-ad3912`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — No obvious bugs, security issues, or breaking changes detected - just adding CI and integration tests for a database schema. **Complexity:** moderate # Safety Check Review ## Summary Adding Forgejo Actions CI workflow and comprehensive database integration tests. No alarming issues found. ## Key Changes - New CI workflow with Go unit tests and schema integration tests - Database integration tests covering full operation lifecycle and constraints - Added PostgreSQL driver dependency (`github.com/jackc/pgx/v5`) ## Automated Observations Addressed - **"Possible secret detected"**: The `FORGEJO_TOKEN` is properly used as a GitHub Actions secret reference (`${{ secrets.FORGEJO_TOKEN }}`), not a hardcoded value - **"High entropy in go.sum"**: This is normal - Go module checksums are cryptographic hashes and naturally have high entropy ## Notes - Go version 1.26 in the workflow is plausible (assuming this is from after my training cutoff) - Integration tests properly use environment variables for database connection - CI uses proper secret management and follows reasonable security practices - Test cleanup functions prevent interference between test runs Everything looks standard for a CI setup with database integration testing.
Expand schema integration test coverage
All checks were successful
test / go-test (pull_request) Successful in 14s
Details
test / schema-test (pull_request) Successful in 26s
Details
3ab7b4ffe7 
Adds tests for the remaining data model guarantees we care about:
rejection flow and plan-level rejected status, resubmission chains
via resubmission_of (and FK enforcement on bogus references),
expired approvals, overdue executions, failed executions surfacing
as partially_failed at the plan level, multi-operation rollout plans
with mixed outcomes (succeeded + failed + executing) and the
corresponding aggregated counts in rollout_plan_status, append-only
enforcement (UPDATE + DELETE) across all five append-only tables for
all four roles, the expected_target_count >= 1 check constraint,
and batch_id referential integrity.

Introduces an insertPlanAndOp helper to reduce setup duplication.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
pr-reviewer-bot commented 2026-04-12 19:34:29 +00:00
Collaborator
Copy link

Automated review by pr-reviewer v0.15.0 | Safety Check | anthropic | tracking id r-dbf3c5-e7b466
This is an AI-generated review and may contain mistakes.

Status: Completed

⚠️ Verdict: Flag — The workflow file exposes a sensitive authentication token (FORGEJO_TOKEN) in plaintext during repository cloning operations.
Complexity: moderate

Security Issue: Token Exposure in CI Workflow

Critical Issue

The CI workflow .forgejo/workflows/test.yaml contains a security vulnerability where the FORGEJO_TOKEN is exposed in the git clone command:

git clone "https://oauth2:${FORGEJO_TOKEN}@${HOST}/${{ forgejo.repository }}.git" .

This token will be visible in:

  • CI logs (potentially)
  • Process lists during execution
  • Shell history

Recommendation

Use a more secure checkout method or ensure the token is properly masked in all output contexts. Consider using the standard checkout action if available, or redirect stdout/stderr when running the git clone command.

Other Observations

The rest of the changes appear reasonable:

  • Go 1.26 is plausible (matches the forward-looking version pattern)
  • Database integration tests are comprehensive and well-structured
  • go.sum high entropy is expected for dependency checksums
  • Test coverage includes proper role-based access controls and constraint validation
*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.15.0 | Safety Check | anthropic | tracking id `r-dbf3c5-e7b466`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **⚠️ Verdict: Flag** — The workflow file exposes a sensitive authentication token (FORGEJO_TOKEN) in plaintext during repository cloning operations. **Complexity:** moderate # Security Issue: Token Exposure in CI Workflow ## Critical Issue The CI workflow `.forgejo/workflows/test.yaml` contains a security vulnerability where the `FORGEJO_TOKEN` is exposed in the git clone command: ```bash git clone "https://oauth2:${FORGEJO_TOKEN}@${HOST}/${{ forgejo.repository }}.git" . ``` This token will be visible in: - CI logs (potentially) - Process lists during execution - Shell history ## Recommendation Use a more secure checkout method or ensure the token is properly masked in all output contexts. Consider using the standard checkout action if available, or redirect stdout/stderr when running the git clone command. ## Other Observations The rest of the changes appear reasonable: - Go 1.26 is plausible (matches the forward-looking version pattern) - Database integration tests are comprehensive and well-structured - go.sum high entropy is expected for dependency checksums - Test coverage includes proper role-based access controls and constraint validation
rcsheets deleted branch feat/ci-and-schema-tests 2026-04-12 19:35:47 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
brooktrails/directory-pacifier!2
No description provided.